From 99d9a32bfabe97a6eeeccb024a68feed331d8f74 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 15:51:26 +0200 Subject: Make `restricted-network` prevent use of netfilter --- src/firejail/main.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..a2342843b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1675,6 +1675,18 @@ int main(int argc, char **argv) { #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netfilter") == 0) { +#ifdef HAVE_NETWORK_RESTRICTED + // compile time restricted networking + if (getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } +#endif + // run time restricted networking + if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; } @@ -1685,6 +1697,18 @@ int main(int argc, char **argv) { } else if (strncmp(argv[i], "--netfilter=", 12) == 0) { +#ifdef HAVE_NETWORK_RESTRICTED + // compile time restricted networking + if (getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } +#endif + // run time restricted networking + if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; arg_netfilter_file = argv[i] + 12; -- cgit v1.2.3-70-g09d2 From 10bf7d9418fb2d5aabaa5de6ffa8638e75bcbbdd Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 15:59:46 +0200 Subject: Document the restricted-network change --- README.md | 6 +++--- etc/firejail.config | 4 ++-- src/man/firejail-config.txt | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/README.md b/README.md index 4fa79d9f2..ce4aa4073 100644 --- a/README.md +++ b/README.md @@ -197,9 +197,9 @@ The following features can be enabled or disabled: restricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network - yes). Restricted networking grants access to --interface and - --net=ethXXX only to root user. Regular users are only allowed - --net=none. + yes). Restricted networking grants access to --interface, + --net=ethXXX and --netfilter only to root user. Regular users + are only allowed --net=none. Default disabled secomp Enable or disable seccomp support, default enabled. diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..fc09f1a0a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -17,8 +17,8 @@ # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). -# Restricted networking grants access to --interface and --net=ethXXX -# only to root user. Regular users are only allowed --net=none. +# Restricted networking grants access to --interface, --net=ethXXX and +# --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..de89ff3eb 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. \fBrestricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network yes). -Restricted networking grants access to --interface and --net=ethXXX -only to root user. Regular users are only allowed --net=none. +Restricted networking grants access to --interface, --net=ethXXX and +\-\-netfilter only to root user. Regular users are only allowed --net=none. .TP \fBsecomp -- cgit v1.2.3-70-g09d2